David M. Balenson, Director of Technical Outreach
NAI Labs, The Security Research Division
Network Associates, Inc.
> -----Original Message-----
> From: Steven M. Christey [mailto:coley@LINUS.MITRE.ORG]
> Sent: Tuesday, May 16, 2000 4:44 PM
> To: cve-editorial-board-list@lists.mitre.org
> Cc: gjg@MITRE.ORG; ptasker@MITRE.ORG
> Subject: FINAL version of CyberCrime Treaty statement - ready for
> signatures
>
>
> All,
>
> The final version of the CyberCrime treaty statement is ready for your
> signature.
>
> Editorial Board members from 26 different organizations have voted to
> ACCEPT the statement, and expect to endorse it as individuals or as
> official representatives of their companies. There are 28
> organizations on the Board at this time, so this clearly satisfies any
> "quorum" requirement.
>
> I made two small grammatical changes based on comments by Andre Frech
> and Jim Magdych, which means that I added three commas. No other
> changes were made. The final text is below.
>
> At MITRE, Gary Gagnon (a director in our Security and Information
> Operations division) is working on a strategy for conducting the
> outreach. I expect that we will have a concrete approach, including a
> coordinator, in the next day or so.
>
> The next step is to gather the signatures from Editorial Board members
> so that we have a unified statement for the outreach. I will gather
> the signatures for this initial effort.
>
> Some Board members have expressed concerns that even if they sign as
> an individual and we include a disclaimer, that listing their company
> affiliation may cause careless readers to believe that the member is
> representing an official position. To address this, I propose the
> following convention:
>
> - If you're representing an official position for your company,
> include your title and the phrase "Representing XYZ Corporation"
> as part of your signature
>
> - If you're signing as an individual, you have the option to include
> your organization or not; if not, your title and/or role in the
> community is encouraged. Consider that your title may further
> reinforce the fact that you don't speak for your organization.
>
> The "Representing" tag will reinforce who's making an official
> organizational statement and who isn't. The disclaimer has been
> adapted as follows:
>
> This statement represents the professional opinion of each
> individual signer. Unless stated otherwise, it may not represent
> the official position of the signer's parent organization.
>
> Finally, because Adam Shostack and Scott Blake introduced this issue
> to the Board, I suggest that their signatures should be listed first.
>
> Thanks to everyone for the incredible level of participation in this
> effort. It's been a busy but rewarding experience. I look forward to
> collecting your signatures as we move into the next phase.
>
> - Steve
>
>
> ************** FINAL TEXT of CyberCrime Treaty Statement
> **************
>
> Greetings:
>
> As leading security practitioners, educators, vendors, and users of
> information security, we wish to register our misgivings about the
> Council of Europe draft treaty on Crime in Cyberspace.
>
> We are concerned that portions of the proposed treaty may result in
> criminalizing techniques and software commonly used to make computer
> systems resistant to attack. Signatory states passing legislation to
> implement the treaty may endanger the security of their computer
> systems, because computer users in those countries will not be able to
> adequately protect their computer systems and the education of
> information protection specialists will be hindered.
>
> Critical to the protection of computer systems and infrastructure is
> the ability to
> * Test software for weaknesses
> * Verify the presence of defects in computer systems
> * Exchange vulnerability information
>
> System administrators, researchers, consultants, and companies all
> routinely develop, use, and share software designed to exercise known
> and suspected vulnerabilities. Academic institutions use these tools
> to educate students and in research to develop improved defenses. Our
> combined experience suggests that it is impossible to reliably
> distinguish software used in computer crime from that used for these
> legitimate purposes. In fact, they are often identical.
>
> Currently, article 6 of the draft treaty is vague regarding the use,
> distribution, and possession of software that could be used to violate
> the security of computer systems. We agree that damaging or breaking
> into computer systems is wrong and we unequivocally support laws
> against such inappropriate behavior. We affirm that a goal of the
> treaty and resulting legislation should be to permit the development
> and application of good security measures. However, legislation that
> criminalizes security software development, distribution, and use is
> counter to that goal, as it would adversely impact security
> practitioners, researchers, and educators.
>
> Therefore, we respectfully request that the treaty drafters remove
> section a.1 from article 6, and modify section b accordingly; the
> articles on computer intrusion and damage (viz., articles 1-5) are
> already sufficient to proscribe any improper use of security-related
> software or information.
>
> Please do not hesitate to call on us for technical advice in your
> future deliberations.
>
> ----------------------------------------------------------------------
>
> This statement represents the professional opinion of each individual
> signer. Unless stated otherwise, it may not represent the official
> position of the signer's parent organization.
>
>
> [Scott Blake and Adam Shostack signatures here]
>
> -- corporate signers: examples --
>
> Jane Doe
> CTO
> Representing Big_Corporation_ABC
>
> Ralph Kramden
> Community-Based Transportation Technician
> Representing Small_Business_DEF
>
> -- individual signers: examples --
>
> David LeBlanc, Ph.D.
> Microsoft Information Security
>
> Steve Christey
> Lead Information Systems Engineer
> The MITRE Corporation
>